Security Review initiation

Part 7 Security Review Initiation for AppExchange Applications

The review process takes about 6-8 weeks from when you have everything provided

  • Your documentation is complete and accurate
  • The test environment is complete, fully configured, and includes all necessary information
  • You have met the requirements
  • You are within the agreement guidelines

Before submitting for security review, make sure your application is enrolled in either the ISVforce or Embedded program.

Initiate security review for your offering by logging into the AppExchange Publishing Consoleand clicking "Start Review" on your offering. For existing offerings that are due for a security re-review, you must also submit a case in the Partner Portal.

The steps involved in the process are:

  • Provide Company Information
  • Define Application Components: Such as components, technologies used, any third party APIs, web service or web application, and others. Provide Test Environments
  • Provide Test Environments
  • Upload Scanner Reports: You would be prompted to submit the security reports generated earlier. In “ Security Code Scanner report”, attach the report you got from Checkmarx. If Checkmarx reported any false positives, attach a document explaining each one. If you are using external services, you would have used ZAP or Chimera to scan them. Provide any reports from these tools in “Other report or documentation”.
  • Payment: You may also have to pay for the security review and the annual listing fee (discussed in the section ‘Pricing’ above).
  • Distribution agreement with Salesforce

Once you have submitted your app for Security review, you need to submit a case on Salesforce Support. This will expedite your review process. Manual and automated application and network security testing will be performed by the security review team and you will receive your review results.

Salesforce’s security review process is both qualitative (question and answer round-to-review policies and procedures) and quantitative (network and application penetration tests).

Partner applications are subject to periodic, random re-review at any time.


Post a Comment

Sign Up For Email Updates